Once your machine has been hacked, it’s not your machine any more.
And yes, that sounds serious, because it absolutely is.
Become a Patron of Ask Leo! and go ad-free!
Ramifications of compromise
Once your machine has been hacked, there is no approach that will tell you with 100% certainty exactly what the hacker (or malware) changed.
Assuming a sufficiently proficient hack, the hacker will have had access to absolutely everything. They could have changed anything, and they could have taken steps to explicitly hide everything they’ve changed.
There’s no way to know they haven’t hidden something you’ll never find. This is one of the reasons “rootkits” are so dangerous; they actually modify the system in such a way that they hide their very existence from standard file and folder listings.
What most people do is run scans with anti-malware tools or security packages in the hopes they’ll catch whatever was corrupted and repair it. Often this means running complete scans with their existing utilities and using additional tools in the hopes they’ll discover more.
Generally those tools catch a lot, it’s true. But there’s no guarantee they’ll catch everything.
Once you’ve taken the time to run all the tools, perform all the scans, or look in all the places that you might learn of to look in, there’s still no way to know that you’ve found everything.1
You know you were hacked.
Yet regardless of the steps you take, you’ll never know you’ve cleaned up from it completely.
Pragmatic solution #1: backup to the rescue
While we can’t prove that a machine is free of malware (even if it’s fresh out of the box), there are solutions we can take after a known compromise to improve the odds of having a clean machine.
The first approach is to back up your data to capture any recent changes, and then restore your system from a complete (aka system image) backup taken prior to the hack.
Of course, you can only use this solution if you’ve been creating complete backup images on a regular enough basis so as to be useful, and if you know when the hack happened. Most people fail the first criteria, sadly. The second can be difficult to determine, but more often than not there’s a sign or symptom making the compromise apparent.
Pragmatic solution #2: backup, reformat, reinstall
The second, more painful, approach is to back up your data2, and then:
- Reformat and reinstall Windows from scratch
- Reinstall all your applications from scratch
- Carefully restore your data as you need it
If this feels painful, that’s because it is. It is time-consuming, but it’s often less time-consuming than struggling with a still-infected or unstable machine, and much more reassuring than not knowing if you’ve eliminated the threat.
And after you’ve done so, make sure to implement that full system backup strategy to make recovery simpler should this ever happen again.